FIM Hunting: How To Kill and Remove Unwanted Files

Organizations have a deep interest in detecting and preventing threats within their environments. From firewalls to file integrity monitors, there are many opportunities to catch and stop attackers in their tracks.

A basic workflow for IT security revolves around prevention, detection and remediation. As a researcher in Tripwire’s Security and Compliance Solutions team, analysis and research is ongoing around all three of these areas.

A number of hardening standards are available for everything from applications to operating systems. We’ve also examined what these attacks look like once they reach the endpoint. Customers have a wide array of content available to monitor critical system files for change, as well as cybercrime controls to detect some of the most common attacks against systems.

The majority of the content delivered also includes guidance on how to return the application or system back to a known good configuration to remediate any issues found in the environment, but did you know that you can do more?

A new file being placed on a system can be a red flag for various reasons. Perhaps this file was not authorized by the change management solution; perhaps the file is known to be a piece of malware as identified by a third-party threat intelligence provider. Another possibility is that it’s a new process that the system doesn’t know about.

Tripwire Enterprise gives you the power to remediate against any number of scenarios, including a process that shouldn’t be running, and should be killed.

Alternatively, if a file was added that doesn’t belong, it can be deleted. In both instances – kill or delete – automation can be added to reduce the timeline of attack.

An example of the power of this functionality is when discussing how to respond to the point-of-sale (POS) malware that has been seen over the past two years.

Once the file has been discovered on the POS device, actions can be taken against the malware. In many of the breaches, the malware was placed on devices in the middle of a code freeze where new files – let alone executable files – should not have been placed on the systems. Quickly having the ability to kill the process can minimize the risk and reduce the rate of infection.

A major benefit of these capabilities is that everything is managed from a single centralized console; there is no need to manually log into any endpoints. Full auditing allows administrators to quickly report on what files were found, killed and deleted.